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Definitions 


We propose interactive verification protocol (VP) that utilizes the concept of verification set 
of participants. Verification set of participants (VSoP) is the set of the secret participants that 
are needed to verify their shares. In order to test validity of the shares, all shares belonging to 
the participants from the VSoP are required. 

Verification structure (VS) is the superset containing all verification sets of shares. Both terms 
(VSoP, VS) are closely related to authorized set of participant and general access structure , 
respectively. Moreover, we consider verification sets of participants that are subsets of 
authorized sets of participants. 

For instance, consider (t,n) threshold secret sharing schemes. Our proposal allows to create 
{v,t,n) sharing scheme, where v denotes number of participants in verification sets. 


When participants belonging to the authorized set want to recover the secret, they first run 


VP for all VSoP-es contained in that set. In the example from above, VP is run for 




v v y 


sets. 


Notation 


1. Take any secret sharing scheme (SSS) over general access structure, with the k 
participants P l ,P 2 ,...,Pj c and corresponding secret shares s l ,s 2 ,...,sj ( . Let’s denote C 0 as 
the combiner algorithm for that secret sharing scheme. 

2. In order to implement VSS each secret share ,v ( should be extended by the control part c ( 


to form extended secret share s' 


Sj and c lll 


► 



3. Let Ci(ai,...,a a ),C 2 (frj ) denote the combiner algorithms for two secret shares 
schemes operating on the sets of the shares fl],...,a a and b\,...,bp, respectively. 

























Operations in verification set of participants (VSoP) 


1. Let s'i be extended secret shares, such that each share belongs to some 

participant F) (a = n < k) and set j P { P. } forms VSoP. 



2. Combine Sj using C, to get R s (resulting secret part). Formally 

Ci (sq ) — R s . 

3. Combine c (| ,...,c ( - using C 2 to get R c (resulting control part). Formally 
C2 ’•••’ c i n )— Rc 



4. R is total result equal R s R c ( R c appended to R s ) and set [p, ,..., P } forms VSoP. 



Observation 1: when s'i ,..., 5 '^ are valid, then f(R s ) = R c for every .v' ( in the VSoP. 
Observation 2: different C,, C 2 and /(jc) can be used for each VSoP. 


Construction of control function f(x) 


Description: 

f(x ) takes /-bit vector x and computes /n -bit image/control number, where m<l. 

Requirement: 

/( x) should be efficient to compute. 

Sample candidates for f(x): 

a. for m = 1 use balanced, nonlinear Boolean function (e.g., modified bent function) 

b. for m > 1, one can use a vector of m balanced, nonlinear Boolean functions. 
Consecutive values of functions from the vector are written as binary sequence to form 
m -bit control number. 

c. check-digit schemes, for instance one based on D 5 symmetry group. 

d. hash functions 








Verification Protocol (VP) 


Verification protocol (one round). The participants can verify their shares without co¬ 
operation of a third party. 

1. For any verification set of shares (VSoP) compute R equal R R c . 

2. Compute f{R s ). 

3. Test relation between f[R s ) and R c : 

if j (R s ) ^ R, at least one of the shares in VSoP is invalid (verification is negative/ negative 
verification result) 

if f{R s )= R, all shares in VSoP are valid with some probability p[s' 1{ s'j ). ■ 


Described above protocol is performed for all VSoP contained in the authorized set of 
participants, that want to recover the secret. 

On probability pjs'^ ,...,s ' in ) 


Let C l , C 2 be combiner algorithms for perfect secret sharing schemes. In addition 
the impact on R resulting from any change of bit(s) in s'j ,...,s\ cannot predicted in at 

least one of C 1 , C 2 . 

P[s'j l ,..., s'j ) depends on the R c length (m -bits), we think that for properly chosen f(x ), 


it is related to the probability of guessing m -bits number. For the given m there are 


(- 

v2 y 


m 


m -bits numbers, hence 




r y y 

— for properly chosen f(x). 

v2 ) 


Illustrative example: (v,t,n) secret sharing scheme 


We assume that f(x) is balanced, nonlinear Boolean function with P\s'j 


V 

fix) 

00010 

0 

01111 

1 

10000 

1 

10010 

1 

11101 

0 

mil 

0 



)= 


2 


Take (3,4) threshold secret sharing where secret was shared using Shamir method (C 0 is 
Shamir combiner algorithm). 















Participants P t , P 2 ,P 3 , P 4 hold secret shares s\ , s ' 2 , s' 3 , s' 4 respectively. 

Authorized sets of participants: {P,, P 2 , P 3 }, {P,, P 2 , P 4 }, {P,, P 3 , P 4 }, {P 2 , P 3 , P 4 } 

Verification sets of participants: {P 1 ,P 2 }, {P,, P,}, {P,,P 4 }, {P 2 ,P : }. {P 2 ,P 4 }, {P 3 ,P 4 } 

Let g(x) = l -\-5x + 3x 2 be random polynomial overGF(31). 

x i = i for i = 1,2,3,4 i e {l,2,3,4} 

s i = g(l) = 15 = 01111 2 , Cj = 1 resulting in s', = 011111 

s 2 = g(2)= 29 = 11101 2 , c 2 =0 resulting in s' 2 = 111010 

s 3 = g(3) = 18 = 10010 2 , c 3 = 1 resulting in s' 3 = 100101 

s 4 = g(4) = 13 = 01101 2 , c 4 = 1 resulting in s' 4 = 011011 

Let both of C,, C 2 be combiner algorithm for KGH secret shares scheme. 

Now consider authorized set {Pj, P 2 , P 3 } 

Such authorized set has the following verification sets: {P,, P 2 }, {P,, P,}, {P 2 , P 3 }. 
For: 

{Pj, P,} R s = s l © s 2 = 10010 and R c = c x © c 2 = 1, 

{P,,P 3 } R s = Sj © s 3 = 11101 and R c =c l ®c 3 = 0, 

{P 2 , P 3 } R s = s 2 ® s 3 =01111 and R c = c 2 © c 3 = 1 


Verification protocol 

1 st round for {P t , P 2 } f(R s ) = /(l0010) = 1 = R c , hence s\ ,s' 2 are valid with P( s'j ,s’ 2 ) = ^ 
2 nd round for {P,, P,} f(R s ) = /(lllOl) = 0 = R c , hence s'^s'j are valid with p(s',,s' 3 ) = ^ 
3 ld round for {P 2 ,P 3 } f(R s ) = /(01111) = 1 = R c , hence s' 2 ,s' 3 are valid with P(s' 2 ,s' 3 ) = 


Discussion of VP results: 

1. No negative verification result was obtained in all rounds of VP. 

1 0 


2. Each of s'i is valid with probability P - 1 


= 0,75 


J 



Conclusions 

Presented VSS has the following features: 

works for any secret sharing scheme, 

does not require cooperation of the trusted third party, 

can be implemented for general access structure, 

its efficiency is not related to the number of dishonest participants, 

does not weaken security parameter of underlying secret sharing scheme. 

The last requirement means that no extra information about the secret is revealed. 

For example perfect secret sharing scheme, when used with proposed VSS, still remains 
perfect. The information rate for the secret shares is always smaller than one, even for 
underlying ideal secret sharing schemes. In the particular design it can be made close to one. 


















